From nobody Fri Oct 11 15:30:48 2024
X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XQ9ZX6ML3z5Z2x1
	for <freebsd-hackers@mlmmj.nyi.freebsd.org>; Fri, 11 Oct 2024 15:31:16 +0000 (UTC)
	(envelope-from 6yearold@gmail.com)
Received: from mail-oo1-f53.google.com (mail-oo1-f53.google.com [209.85.161.53])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "WR4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4XQ9ZX4Zzmz4qvq
	for <freebsd-hackers@freebsd.org>; Fri, 11 Oct 2024 15:31:16 +0000 (UTC)
	(envelope-from 6yearold@gmail.com)
Authentication-Results: mx1.freebsd.org;
	none
Received: by mail-oo1-f53.google.com with SMTP id 006d021491bc7-5e98821b12eso1142656eaf.0
        for <freebsd-hackers@freebsd.org>; Fri, 11 Oct 2024 08:31:16 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1728660675; x=1729265475;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=p2omWorF3/ndA0ll1HYKtwTLeoaRk9th2UF/fbaPOKw=;
        b=pCWVAa+y/jqk5G/fboXJXE9dttLgCBvMKnVFpFfe2oX3GP9FhCNR0EsKUf0VeciUoZ
         I7AdLauB8v8DaDkTD8iCl4taDi1MHKOdZAONtPbBSff/D13fllBc18j6flHxmsX6W0ua
         SoSP+vwfzjU70ptYUBMlxes6z9dncsxfraGfUp9bbaHX8I/h2g5ucb2BKYXKXbK/NIM+
         HuSolasp2UXJJ6zAbDK2HJm/P4XWOYTsYlSwQn5c11XWRw5C8HId2Eqjg1WgHWtmgvfh
         Ot+eBMm9qwOy3/83r/L/KfbRpDkTmeERo6J9rbEDPhCGVal3o0VZmaIXeP9HZQJ6HZV3
         75Ng==
X-Gm-Message-State: AOJu0Yy1K9onT4H8mnENqxbizxB+YHPAmaToQkO7EukJbPLhkoqc2ZAK
	cPq/DaMKn5sBtl2ixEoGpsviGXbUh9uG0nkNA21UVJUsMU/yi06Fc0/myw9Rx5I=
X-Google-Smtp-Source: AGHT+IEWi8c1ztLIegwm1MKUN8DrN1m1cNTH9Wxb+eBpWd58izEdbUkxkLUEz42zqbeslTWFfAjvIw==
X-Received: by 2002:a05:6870:521:b0:260:ee13:e665 with SMTP id 586e51a60fabf-2886df8f39amr2131762fac.37.1728660675411;
        Fri, 11 Oct 2024 08:31:15 -0700 (PDT)
Received: from mail-ot1-f44.google.com (mail-ot1-f44.google.com. [209.85.210.44])
        by smtp.gmail.com with ESMTPSA id 586e51a60fabf-288582031d1sm930845fac.32.2024.10.11.08.31.15
        for <freebsd-hackers@freebsd.org>
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Fri, 11 Oct 2024 08:31:15 -0700 (PDT)
Received: by mail-ot1-f44.google.com with SMTP id 46e09a7af769-716a5b9ee6fso1131485a34.2
        for <freebsd-hackers@freebsd.org>; Fri, 11 Oct 2024 08:31:15 -0700 (PDT)
X-Received: by 2002:a05:6358:720e:b0:1ad:10eb:cd39 with SMTP id
 e5c5f4694b2df-1c32bc335a8mr42321055d.26.1728660674778; Fri, 11 Oct 2024
 08:31:14 -0700 (PDT)
List-Id: Technical discussions relating to FreeBSD <freebsd-hackers.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-hackers
List-Help: <mailto:freebsd-hackers+help@freebsd.org>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Subscribe: <mailto:freebsd-hackers+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-hackers+unsubscribe@freebsd.org>
Sender: owner-freebsd-hackers@FreeBSD.org
MIME-Version: 1.0
References: <CALH631kPsbYakfANCqzCDKRKqL=gDs5qWpFp1FNn7EV++qT=Gg@mail.gmail.com>
 <20241011150941.C2966203@slippy.cwsent.com>
In-Reply-To: <20241011150941.C2966203@slippy.cwsent.com>
From: Gleb Popov <arrowd@freebsd.org>
Date: Fri, 11 Oct 2024 18:30:48 +0300
X-Gmail-Original-Message-ID: <CALH631n5LSoPdKCHEvOWG0ySa2gkVaN8eBNcswYsUk71xhHsyw@mail.gmail.com>
Message-ID: <CALH631n5LSoPdKCHEvOWG0ySa2gkVaN8eBNcswYsUk71xhHsyw@mail.gmail.com>
Subject: Re: Why Kerberos performs account management before authentication?
To: Cy Schubert <Cy.Schubert@cschubert.com>
Cc: freebsd-hackers <freebsd-hackers@freebsd.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Rspamd-Pre-Result: action=no action;
	module=replies;
	Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
	REPLY(-4.00)[];
	ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]
X-Rspamd-Queue-Id: 4XQ9ZX4Zzmz4qvq
X-Spamd-Bar: ----

On Fri, Oct 11, 2024 at 6:09=E2=80=AFPM Cy Schubert <Cy.Schubert@cschubert.=
com> wrote:
>
> I just tested this on my MIT KRB5 KDC. I created a principal and expired =
it
> at 0800U (my timezone U =3D PDT). Here are the results:
>
> slippy$ kinit cytest
> cytest@CWSENT.COM's Password:
> kinit: Password incorrect
>
> My MIT KRB5 KDC returns password incorrect to the FreeBSD Heimdal kinit f=
or
> the expired principal.
>
> slippy$ /usr/local/bin/kinit cytest
> Password for cytest@CWSENT.COM:
> kinit: Password incorrect while getting initial credentials
> slippy$
>
> It also returns password incorrect to the MIT KRB5 kinit.
>
> What you're seeing is M$ A/D behavior.
>

This is peculiar. Thanks for conducting the test! I'll try this out myself =
too.